CODEWITHSUNDEEP
firebasegoogle-cloud-firestorefirebase-security
Akshay
Akshay

Reputation: 2763

Restricting Cloud Firestore to a specific domain

Is there a way to restrict Cloud Firestore (for hosting/web) to do CRUD operations with restrictions to one domain only, say xyz.com?

For example, the rule below locks read, update, delete without authorisation but you can still write things to the database.

service cloud.firestore {
  match /databases/{database}/documents {
    match /coming-soon-email-ids/{document=**} {
      allow write;
      allow read, update, delete: if request.auth.uid == !null;
    }
  }
}

Or do I have to integrate Google's firewall in it?

Upvotes: 7

Views: 10024

Answers (2)

kevin parra
kevin parra

Reputation: 436

I had the same question, and I coming up with a solution. You can do sign In anonymously:

const signIn = async () => {
auth.signInAnonymously()
.then(() => {
  // Signed in..
})
.catch((error) => {
  var errorCode = error.code;
  var errorMessage = error.message;
  // ...
});

Then you can put your rules like:

allow read, write: if request.auth != null;

Then in authentication, you can activate the a anonymous method for sign in and add your authorized domains.

Upvotes: 4

Doug Stevenson
Doug Stevenson

Reputation: 317392

Firebase security rules aren't able to restrict access to a web domain. In a very general sense, it is not possible, because Firestore is intended to be accessed from mobile clients around the world, using web, Android, and iOS. Android and iOS clients never appear to be coming from some domain. They just directly access the database via the provided client library, or sometimes through the Firestore REST API. Web clients may even spoof their apparent domain (which is only really available by the insecure "Referrer" header in an HTTP request).

You can only really restrict access to users signed in to your app or site using Firebase Authentication, but you can't limit where they come from.

Upvotes: 10

Related Questions